[people/stevee/selinux-policy.git] / policy / modules / services / ssh.te

policy_module(ssh, 2.2.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	allow host key based authentication
##	</p>
## </desc>
gen_tunable(allow_ssh_keysign, false)

## <desc>
##	<p>
##	Allow ssh logins as sysadm_r:sysadm_t
##	</p>
## </desc>
gen_tunable(ssh_sysadm_login, false)

## <desc>
##	<p>
##	allow sshd to forward port connections
##	</p>
## </desc>
gen_tunable(sshd_forward_ports, false)

## <desc>
## <p>
## Allow ssh with chroot env to read and write files 
## in the user home directories
## </p>
## </desc>
gen_tunable(ssh_chroot_rw_homedirs, false)

attribute ssh_dyntransition_domain;
attribute ssh_server;
attribute ssh_agent_type;

ssh_dyntransition_domain_template(chroot_user_t)
ssh_dyntransition_domain_template(sshd_sandbox_t)

type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)

type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)

ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)

type sshd_initrc_exec_t;
init_script_file(sshd_initrc_exec_t)

type sshd_key_t;
files_type(sshd_key_t)

type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
application_domain(ssh_t, ssh_exec_t)
ubac_constrained(ssh_t)

type ssh_agent_exec_t;
corecmd_executable_file(ssh_agent_exec_t)

type ssh_agent_tmp_t;
typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
files_tmp_file(ssh_agent_tmp_t)
ubac_constrained(ssh_agent_tmp_t)

type ssh_keysign_t;
type ssh_keysign_exec_t;
typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
application_domain(ssh_keysign_t, ssh_keysign_exec_t)
ubac_constrained(ssh_keysign_t)

type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
files_tmpfs_file(ssh_tmpfs_t)
ubac_constrained(ssh_tmpfs_t)

type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
files_poly_parent(ssh_home_t)

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')

##############################
#
# SSH client local policy
#

allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
allow ssh_t self:key read;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
can_exec(ssh_t, ssh_exec_t)

# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;

manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
userdom_read_all_users_keys(ssh_t)
userdom_stream_connect(ssh_t)
userdom_search_admin_dir(sshd_t)
userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })

# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)

allow ssh_t sshd_t:unix_stream_socket connectto;
allow ssh_t sshd_t:peer recv;

# ssh client can manage the keys and config
manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)

# ssh servers can read the user keys and config
manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)

kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)

corenet_all_recvfrom_unlabeled(ssh_t)
corenet_all_recvfrom_netlabel(ssh_t)
corenet_tcp_sendrecv_generic_if(ssh_t)
corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
corenet_tcp_bind_generic_node(ssh_t)
corenet_tcp_bind_all_unreserved_ports(ssh_t)
corenet_rw_tun_tap_dev(ssh_t)

dev_read_rand(ssh_t)
dev_read_urand(ssh_t)

fs_getattr_all_fs(ssh_t)
fs_search_auto_mountpoints(ssh_t)

# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell(ssh_t)
corecmd_exec_bin(ssh_t)

domain_use_interactive_fds(ssh_t)

files_list_home(ssh_t)
files_read_usr_files(ssh_t)
files_read_etc_runtime_files(ssh_t)
files_read_etc_files(ssh_t)
files_read_var_files(ssh_t)

logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)

auth_use_nsswitch(ssh_t)

miscfiles_read_localization(ssh_t)
miscfiles_read_generic_certs(ssh_t)

seutil_read_config(ssh_t)

userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
userdom_search_admin_dir(ssh_t)
# Write to the user domain tty.
userdom_use_inherited_user_terminals(ssh_t)
# needs to read krb/write tgt
userdom_read_user_tmp_files(ssh_t)
userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
userdom_read_home_certs(ssh_t)
userdom_home_manager(ssh_t)

tunable_policy(`allow_ssh_keysign',`
	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
')

# for port forwarding
tunable_policy(`user_tcp_server',`
	corenet_tcp_bind_ssh_port(ssh_t)
	corenet_tcp_bind_generic_node(ssh_t)
')

optional_policy(`
	gnome_stream_connect_all_gkeyringd(ssh_t)
')

optional_policy(`
	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
	xserver_domtrans_xauth(ssh_t)
')


##############################
#
# ssh_keysign_t local policy
#

tunable_policy(`allow_ssh_keysign',`
	allow ssh_keysign_t self:capability { setgid setuid };
	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;

	allow ssh_keysign_t sshd_key_t:file read_file_perms;

	dev_read_rand(ssh_keysign_t)
	dev_read_urand(ssh_keysign_t)

	files_read_etc_files(ssh_keysign_t)
')

#################################
#
# sshd local policy
#
# sshd_t is the domain for the sshd program.
#

# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
allow sshd_t self:process setcurrent;

kernel_search_key(sshd_t)
kernel_link_key(sshd_t)

term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
term_setattr_all_ttys(sshd_t)
term_relabelto_all_ptys(sshd_t)
term_use_ptmx(sshd_t)

# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)

userdom_read_user_home_content_files(sshd_t)
userdom_read_user_home_content_symlinks(sshd_t)
userdom_manage_tmp_role(system_r, sshd_t)
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
userdom_dyntransition_unpriv_users(sshd_t)

tunable_policy(`sshd_forward_ports',`
	corenet_tcp_bind_all_unreserved_ports(sshd_t)
	corenet_tcp_connect_all_ports(sshd_t)
')

tunable_policy(`ssh_sysadm_login',`
	# Relabel and access ptys created by sshd
	# ioctl is necessary for logout() processing for utmp entry and for w to
	# display the tty.
	# some versions of sshd on the new SE Linux require setattr
	userdom_signal_all_users(sshd_t)
	userdom_spec_domtrans_all_users(sshd_t)
')

optional_policy(`
	amanda_search_var_lib(sshd_t)
')

optional_policy(`
	daemontools_service_domain(sshd_t, sshd_exec_t)
')

optional_policy(`
	kerberos_keytab_template(sshd, sshd_t)
')

optional_policy(`
	ftp_dyntrans_sftpd(sshd_t)
	ftp_dyntrans_anon_sftpd(sshd_t)
')

optional_policy(`
	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')

optional_policy(`
	nx_read_home_files(sshd_t)
')

optional_policy(`
	rpm_use_script_fds(sshd_t)
')

optional_policy(`
	rssh_spec_domtrans(sshd_t)
	# For reading /home/user/.ssh
	rssh_read_ro_content(sshd_t)
')

optional_policy(`
	systemd_exec_systemctl(sshd_t)
')

optional_policy(`
	usermanage_domtrans_passwd(sshd_t)
	usermanage_read_crack_db(sshd_t)
')

optional_policy(`
	unconfined_shell_domtrans(sshd_t)
')

optional_policy(`
	xserver_domtrans_xauth(sshd_t)
')

ifdef(`TODO',`
	tunable_policy(`ssh_sysadm_login',`
		# Relabel and access ptys created by sshd
		# ioctl is necessary for logout() processing for utmp entry and for w to
		# display the tty.
		# some versions of sshd on the new SE Linux require setattr
		allow sshd_t ptyfile:chr_file relabelto;

			optional_policy(`
				domain_trans(sshd_t, xauth_exec_t, userdomain)
			')
	',`
		optional_policy(`
			domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
		')
		# Relabel and access ptys created by sshd
		# ioctl is necessary for logout() processing for utmp entry and for w to
		# display the tty.
		# some versions of sshd on the new SE Linux require setattr
		allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
	')
') dnl endif TODO

########################################
#
# ssh_keygen local policy
#

# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t

allow ssh_keygen_t self:capability dac_override;
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;

allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)

manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)

kernel_read_system_state(ssh_keygen_t)
kernel_read_kernel_sysctls(ssh_keygen_t)

fs_search_auto_mountpoints(ssh_keygen_t)

dev_read_sysfs(ssh_keygen_t)
dev_read_rand(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)

term_dontaudit_use_console(ssh_keygen_t)

domain_use_interactive_fds(ssh_keygen_t)

files_read_etc_files(ssh_keygen_t)

init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)

auth_use_nsswitch(ssh_keygen_t)

logging_send_syslog_msg(ssh_keygen_t)

userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
userdom_use_user_terminals(ssh_keygen_t)

optional_policy(`
	seutil_sigchld_newrole(ssh_keygen_t)
')

optional_policy(`
	udev_read_db(ssh_keygen_t)
')

####################################
#
# ssh_dyntransition domain local policy
#

allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };

allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;

optional_policy(`
    ssh_rw_stream_sockets(ssh_dyntransition_domain)
    ssh_rw_tcp_sockets(ssh_dyntransition_domain)
')

#####################################
#
# ssh_sandbox local policy
#

allow sshd_t sshd_sandbox_t:process signal;

init_ioctl_stream_sockets(sshd_sandbox_t)

logging_send_audit_msgs(sshd_sandbox_t)

######################################
#
# chroot_user_t local policy
#


userdom_read_user_home_content_files(chroot_user_t)
userdom_read_inherited_user_home_content_files(chroot_user_t)
userdom_read_user_home_content_symlinks(chroot_user_t)
userdom_exec_user_home_content_files(chroot_user_t)

tunable_policy(`ssh_chroot_rw_homedirs',`
        files_list_home(chroot_user_t)
        userdom_read_user_home_content_files(chroot_user_t)
        userdom_manage_user_home_content(chroot_user_t)
', `

        userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
')

tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
    fs_manage_nfs_dirs(chroot_user_t)
    fs_manage_nfs_files(chroot_user_t)
    fs_manage_nfs_symlinks(chroot_user_t)
')

tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
    fs_manage_cifs_dirs(chroot_user_t)
    fs_manage_cifs_files(chroot_user_t)
    fs_manage_cifs_symlinks(chroot_user_t)
')

tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
    fs_manage_fusefs_dirs(chroot_user_t)
    fs_manage_fusefs_files(chroot_user_t)
    fs_manage_fusefs_symlinks(chroot_user_t)
')

tunable_policy(`use_samba_home_dirs',`
    fs_read_cifs_files(chroot_user_t)
    fs_read_cifs_symlinks(chroot_user_t)
')

userdom_home_manager(chroot_user_t)

optional_policy(`
    ssh_rw_dgram_sockets(chroot_user_t)
')
Commit	Line	Data
29af4c13	1	policy_module(ssh, 2.2.0)
0404a390 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
56e1b3d2	8	## <desc>
1e2abee1 DG	9	## <p>
	10	## allow host key based authentication
	11	## </p>
56e1b3d2	12	## </desc>
0bfccda4	13	gen_tunable(allow_ssh_keysign, false)
56e1b3d2 CP	14
56e1b3d2 CP	15	## <desc>
1e2abee1 DG	16	## <p>
	17	## Allow ssh logins as sysadm_r:sysadm_t
	18	## </p>
56e1b3d2	19	## </desc>
0bfccda4	20	gen_tunable(ssh_sysadm_login, false)
56e1b3d2	21
3eaa9939	22	## <desc>
1e2abee1 DG	23	## <p>
	24	## allow sshd to forward port connections
	25	## </p>
3eaa9939 DW	26	## </desc>
	27	gen_tunable(sshd_forward_ports, false)
	28
919775fe MG	29	## <desc>
	30	## <p>
	31	## Allow ssh with chroot env to read and write files
	32	## in the user home directories
	33	## </p>
	34	## </desc>
	35	gen_tunable(ssh_chroot_rw_homedirs, false)
	36
f5dce57b	37	attribute ssh_dyntransition_domain;
45239964	38	attribute ssh_server;
296273a7	39	attribute ssh_agent_type;
0404a390	40
4c3a6f86 MG	41	ssh_dyntransition_domain_template(chroot_user_t)
	42	ssh_dyntransition_domain_template(sshd_sandbox_t)
	43
75beb950	44	type ssh_keygen_t;
0404a390	45	type ssh_keygen_exec_t;
0bfccda4	46	init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
0404a390	47
e070dd2d	48	type sshd_exec_t;
fb63d0b5	49	corecmd_executable_file(sshd_exec_t)
c3812748	50
6b19be33	51	ssh_server_template(sshd)
0bfccda4	52	init_daemon_domain(sshd_t, sshd_exec_t)
6b19be33	53
3eaa9939 DW	54	type sshd_initrc_exec_t;
	55	init_script_file(sshd_initrc_exec_t)
	56
375c2415 CP	57	type sshd_key_t;
375c2415 CP	58	files_type(sshd_key_t)
9ccd96df	59
296273a7 CP	60	type ssh_t;
	61	type ssh_exec_t;
	62	typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
	63	typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
	64	application_domain(ssh_t, ssh_exec_t)
	65	ubac_constrained(ssh_t)
	66
	67	type ssh_agent_exec_t;
	68	corecmd_executable_file(ssh_agent_exec_t)
	69
	70	type ssh_agent_tmp_t;
	71	typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
	72	typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
	73	files_tmp_file(ssh_agent_tmp_t)
	74	ubac_constrained(ssh_agent_tmp_t)
	75
	76	type ssh_keysign_t;
	77	type ssh_keysign_exec_t;
	78	typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
	79	typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
	80	application_domain(ssh_keysign_t, ssh_keysign_exec_t)
	81	ubac_constrained(ssh_keysign_t)
	82
	83	type ssh_tmpfs_t;
	84	typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
	85	typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
	86	files_tmpfs_file(ssh_tmpfs_t)
	87	ubac_constrained(ssh_tmpfs_t)
	88
cde15072 CP	89	type ssh_home_t;
	90	typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
	91	typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
cde15072	92	userdom_user_home_content(ssh_home_t)
8ba1f41a	93	files_poly_parent(ssh_home_t)
296273a7	94
4781493e DG	95	ifdef(`enable_mcs',`
	96	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
	97	')
	98
296273a7 CP	99	##############################
	100	#
	101	# SSH client local policy
	102	#
	103
	104	allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
	105	allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	106	allow ssh_t self:fd use;
	107	allow ssh_t self:fifo_file rw_fifo_file_perms;
8f471092	108	allow ssh_t self:key read;
296273a7 CP	109	allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
	110	allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
	111	allow ssh_t self:shm create_shm_perms;
	112	allow ssh_t self:sem create_sem_perms;
	113	allow ssh_t self:msgq create_msgq_perms;
	114	allow ssh_t self:msg { send receive };
cde15072	115	allow ssh_t self:tcp_socket create_stream_socket_perms;
64607462	116	can_exec(ssh_t, ssh_exec_t)
296273a7 CP	117
	118	# Read the ssh key file.
	119	allow ssh_t sshd_key_t:file read_file_perms;
	120
296273a7 CP	121	manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
	122	manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
	123	manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
	124	manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
cde15072	125	fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
296273a7	126
edc2f7de CP	127	manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
	128	manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
	129	userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
8f471092	130	userdom_read_all_users_keys(ssh_t)
3eaa9939	131	userdom_stream_connect(ssh_t)
726d3fd9	132	userdom_search_admin_dir(sshd_t)
70be862b	133	userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
296273a7 CP	134
	135	# Allow the ssh program to communicate with ssh-agent.
	136	stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
	137
	138	allow ssh_t sshd_t:unix_stream_socket connectto;
5dd938af	139	allow ssh_t sshd_t:peer recv;
296273a7 CP	140
296273a7 CP	141	# ssh client can manage the keys and config
edc2f7de CP	142	manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
edc2f7de CP	143	read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
296273a7 CP	144
296273a7 CP	145	# ssh servers can read the user keys and config
3eaa9939 DW	146	manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
	147	manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
	148	userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
	149	userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
296273a7 CP	150
296273a7 CP	151	kernel_read_kernel_sysctls(ssh_t)
cde15072	152	kernel_read_system_state(ssh_t)
296273a7 CP	153
	154	corenet_all_recvfrom_unlabeled(ssh_t)
	155	corenet_all_recvfrom_netlabel(ssh_t)
668b3093	156	corenet_tcp_sendrecv_generic_if(ssh_t)
c1262146	157	corenet_tcp_sendrecv_generic_node(ssh_t)
296273a7 CP	158	corenet_tcp_sendrecv_all_ports(ssh_t)
	159	corenet_tcp_connect_ssh_port(ssh_t)
	160	corenet_sendrecv_ssh_client_packets(ssh_t)
3eaa9939 DW	161	corenet_tcp_bind_generic_node(ssh_t)
3eaa9939 DW	162	corenet_tcp_bind_all_unreserved_ports(ssh_t)
2e52e8cf	163	corenet_rw_tun_tap_dev(ssh_t)
296273a7	164
8fd700fe	165	dev_read_rand(ssh_t)
296273a7 CP	166	dev_read_urand(ssh_t)
	167
	168	fs_getattr_all_fs(ssh_t)
	169	fs_search_auto_mountpoints(ssh_t)
	170
	171	# run helper programs - needed eg for x11-ssh-askpass
	172	corecmd_exec_shell(ssh_t)
	173	corecmd_exec_bin(ssh_t)
	174
	175	domain_use_interactive_fds(ssh_t)
	176
	177	files_list_home(ssh_t)
	178	files_read_usr_files(ssh_t)
	179	files_read_etc_runtime_files(ssh_t)
	180	files_read_etc_files(ssh_t)
	181	files_read_var_files(ssh_t)
	182
	183	logging_send_syslog_msg(ssh_t)
	184	logging_read_generic_logs(ssh_t)
	185
cde15072 CP	186	auth_use_nsswitch(ssh_t)
cde15072 CP	187
296273a7	188	miscfiles_read_localization(ssh_t)
442a14fe	189	miscfiles_read_generic_certs(ssh_t)
296273a7 CP	190
	191	seutil_read_config(ssh_t)
	192
296273a7 CP	193	userdom_dontaudit_list_user_home_dirs(ssh_t)
296273a7 CP	194	userdom_search_user_home_dirs(ssh_t)
bebaa6a2	195	userdom_search_admin_dir(ssh_t)
296273a7	196	# Write to the user domain tty.
af2d8802	197	userdom_use_inherited_user_terminals(ssh_t)
3eaa9939	198	# needs to read krb/write tgt
296273a7	199	userdom_read_user_tmp_files(ssh_t)
3eaa9939 DW	200	userdom_write_user_tmp_files(ssh_t)
3eaa9939 DW	201	userdom_read_user_home_content_symlinks(ssh_t)
ded9692e	202	userdom_read_home_certs(ssh_t)
ed2ac112	203	userdom_home_manager(ssh_t)
296273a7 CP	204
296273a7 CP	205	tunable_policy(`allow_ssh_keysign',`
3c4ffa32	206	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
296273a7 CP	207	')
296273a7 CP	208
296273a7 CP	209	# for port forwarding
	210	tunable_policy(`user_tcp_server',`
	211	corenet_tcp_bind_ssh_port(ssh_t)
cde15072	212	corenet_tcp_bind_generic_node(ssh_t)
296273a7 CP	213	')
296273a7 CP	214
27608c5b DW	215	optional_policy(`
	216	gnome_stream_connect_all_gkeyringd(ssh_t)
	217	')
	218
296273a7 CP	219	optional_policy(`
	220	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
	221	xserver_domtrans_xauth(ssh_t)
	222	')
	223
3eaa9939	224
296273a7 CP	225	##############################
	226	#
	227	# ssh_keysign_t local policy
	228	#
	229
	230	tunable_policy(`allow_ssh_keysign',`
	231	allow ssh_keysign_t self:capability { setgid setuid };
	232	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
	233
7d1f5642	234	allow ssh_keysign_t sshd_key_t:file read_file_perms;
296273a7	235
8fd700fe	236	dev_read_rand(ssh_keysign_t)
296273a7 CP	237	dev_read_urand(ssh_keysign_t)
	238
	239	files_read_etc_files(ssh_keysign_t)
	240	')
	241
0404a390 CP	242	#################################
	243	#
	244	# sshd local policy
	245	#
	246	# sshd_t is the domain for the sshd program.
	247	#
	248
6b19be33 CP	249	# so a tunnel can point to another ssh tunnel
	250	allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
	251	allow sshd_t self:key { search link write };
3eaa9939	252	allow sshd_t self:process setcurrent;
44d5d93f	253
6b19be33 CP	254	kernel_search_key(sshd_t)
	255	kernel_link_key(sshd_t)
	256
c3c753f7 CP	257	term_use_all_ptys(sshd_t)
c3c753f7 CP	258	term_setattr_all_ptys(sshd_t)
3eaa9939	259	term_setattr_all_ttys(sshd_t)
c3c753f7	260	term_relabelto_all_ptys(sshd_t)
3eaa9939	261	term_use_ptmx(sshd_t)
296273a7	262
6b19be33 CP	263	# for X forwarding
	264	corenet_tcp_bind_xserver_port(sshd_t)
	265	corenet_sendrecv_xserver_server_packets(sshd_t)
	266
3eaa9939 DW	267	userdom_read_user_home_content_files(sshd_t)
3eaa9939 DW	268	userdom_read_user_home_content_symlinks(sshd_t)
3eaa9939	269	userdom_manage_tmp_role(system_r, sshd_t)
4781493e DG	270	userdom_spec_domtrans_unpriv_users(sshd_t)
4781493e DG	271	userdom_signal_unpriv_users(sshd_t)
919775fe	272	userdom_dyntransition_unpriv_users(sshd_t)
4781493e DG	273
	274	tunable_policy(`sshd_forward_ports',`
	275	corenet_tcp_bind_all_unreserved_ports(sshd_t)
	276	corenet_tcp_connect_all_ports(sshd_t)
	277	')
3eaa9939	278
6b19be33 CP	279	tunable_policy(`ssh_sysadm_login',`
	280	# Relabel and access ptys created by sshd
	281	# ioctl is necessary for logout() processing for utmp entry and for w to
	282	# display the tty.
	283	# some versions of sshd on the new SE Linux require setattr
6b19be33	284	userdom_signal_all_users(sshd_t)
f39ff1fa	285	userdom_spec_domtrans_all_users(sshd_t)
6b19be33 CP	286	')
6b19be33 CP	287
57ce3836	288	optional_policy(`
5a1cc7f0	289	amanda_search_var_lib(sshd_t)
57ce3836 DW	290	')
57ce3836 DW	291
cde15072	292	optional_policy(`
088b65e5	293	daemontools_service_domain(sshd_t, sshd_exec_t)
cde15072 CP	294	')
cde15072 CP	295
3eaa9939 DW	296	optional_policy(`
	297	kerberos_keytab_template(sshd, sshd_t)
	298	')
	299
	300	optional_policy(`
	301	ftp_dyntrans_sftpd(sshd_t)
	302	ftp_dyntrans_anon_sftpd(sshd_t)
	303	')
	304
6b19be33	305	optional_policy(`
088b65e5	306	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
6b19be33 CP	307	')
	308
	309	optional_policy(`
3eaa9939	310	nx_read_home_files(sshd_t)
6b19be33 CP	311	')
	312
	313	optional_policy(`
	314	rpm_use_script_fds(sshd_t)
	315	')
	316
	317	optional_policy(`
296273a7	318	rssh_spec_domtrans(sshd_t)
6b19be33	319	# For reading /home/user/.ssh
296273a7	320	rssh_read_ro_content(sshd_t)
6b19be33 CP	321	')
6b19be33 CP	322
151056b0 MG	323	optional_policy(`
	324	systemd_exec_systemctl(sshd_t)
	325	')
	326
3eaa9939 DW	327	optional_policy(`
	328	usermanage_domtrans_passwd(sshd_t)
	329	usermanage_read_crack_db(sshd_t)
	330	')
	331
350b6ab7	332	optional_policy(`
350b6ab7 CP	333	unconfined_shell_domtrans(sshd_t)
	334	')
	335
088b65e5 CP	336	optional_policy(`
	337	xserver_domtrans_xauth(sshd_t)
	338	')
	339
6b19be33	340	ifdef(`TODO',`
1e2abee1 DG	341	tunable_policy(`ssh_sysadm_login',`
	342	# Relabel and access ptys created by sshd
	343	# ioctl is necessary for logout() processing for utmp entry and for w to
	344	# display the tty.
	345	# some versions of sshd on the new SE Linux require setattr
	346	allow sshd_t ptyfile:chr_file relabelto;
	347
	348	optional_policy(`
	349	domain_trans(sshd_t, xauth_exec_t, userdomain)
	350	')
	351	',`
	352	optional_policy(`
	353	domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
	354	')
	355	# Relabel and access ptys created by sshd
	356	# ioctl is necessary for logout() processing for utmp entry and for w to
	357	# display the tty.
	358	# some versions of sshd on the new SE Linux require setattr
7d1f5642	359	allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
5540e76a	360	')
6b19be33	361	') dnl endif TODO
0404a390	362
0404a390 CP	363	########################################
	364	#
	365	# ssh_keygen local policy
	366	#
	367
75beb950 CP	368	# ssh_keygen_t is the type of the ssh-keygen program when run at install time
75beb950 CP	369	# and by sysadm_t
0404a390	370
3e23c54b	371	allow ssh_keygen_t self:capability dac_override;
75beb950 CP	372	dontaudit ssh_keygen_t self:capability sys_tty_config;
75beb950 CP	373	allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
75beb950	374	allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
0404a390	375
c0868a7a	376	allow ssh_keygen_t sshd_key_t:file manage_file_perms;
0bfccda4	377	files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
0404a390	378
58c3d0e9 MG	379	manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
	380	manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
	381	userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
092a35ee	382	userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
58c3d0e9	383
c1a9a532	384	kernel_read_system_state(ssh_keygen_t)
75beb950	385	kernel_read_kernel_sysctls(ssh_keygen_t)
0404a390	386
75beb950	387	fs_search_auto_mountpoints(ssh_keygen_t)
ab940a4c	388
75beb950	389	dev_read_sysfs(ssh_keygen_t)
b76a6a16	390	dev_read_rand(ssh_keygen_t)
75beb950	391	dev_read_urand(ssh_keygen_t)
0404a390	392
75beb950	393	term_dontaudit_use_console(ssh_keygen_t)
0404a390	394
75beb950	395	domain_use_interactive_fds(ssh_keygen_t)
0404a390	396
75beb950	397	files_read_etc_files(ssh_keygen_t)
0404a390	398
75beb950 CP	399	init_use_fds(ssh_keygen_t)
75beb950 CP	400	init_use_script_ptys(ssh_keygen_t)
0404a390	401
cde15072 CP	402	auth_use_nsswitch(ssh_keygen_t)
cde15072 CP	403
75beb950	404	logging_send_syslog_msg(ssh_keygen_t)
0404a390	405
75beb950	406	userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
0b0d648a	407	userdom_use_user_terminals(ssh_keygen_t)
0404a390	408
75beb950 CP	409	optional_policy(`
	410	seutil_sigchld_newrole(ssh_keygen_t)
	411	')
	412
	413	optional_policy(`
	414	udev_read_db(ssh_keygen_t)
c0d1566a	415	')
919775fe	416
4c3a6f86 MG	417	####################################
	418	#
	419	# ssh_dyntransition domain local policy
	420	#
	421
	422	allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
	423
	424	allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
	425
	426	optional_policy(`
	427	ssh_rw_stream_sockets(ssh_dyntransition_domain)
	428	ssh_rw_tcp_sockets(ssh_dyntransition_domain)
	429	')
	430
	431	#####################################
	432	#
	433	# ssh_sandbox local policy
	434	#
	435
	436	allow sshd_t sshd_sandbox_t:process signal;
	437
	438	init_ioctl_stream_sockets(sshd_sandbox_t)
	439
	440	logging_send_audit_msgs(sshd_sandbox_t)
	441
919775fe MG	442	######################################
	443	#
	444	# chroot_user_t local policy
	445	#
	446
919775fe MG	447
	448	userdom_read_user_home_content_files(chroot_user_t)
	449	userdom_read_inherited_user_home_content_files(chroot_user_t)
	450	userdom_read_user_home_content_symlinks(chroot_user_t)
	451	userdom_exec_user_home_content_files(chroot_user_t)
	452
	453	tunable_policy(`ssh_chroot_rw_homedirs',`
	454	files_list_home(chroot_user_t)
	455	userdom_read_user_home_content_files(chroot_user_t)
	456	userdom_manage_user_home_content(chroot_user_t)
	457	', `
	458
	459	userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
	460	')
	461
	462	tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
	463	fs_manage_nfs_dirs(chroot_user_t)
	464	fs_manage_nfs_files(chroot_user_t)
	465	fs_manage_nfs_symlinks(chroot_user_t)
	466	')
	467
	468	tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
	469	fs_manage_cifs_dirs(chroot_user_t)
	470	fs_manage_cifs_files(chroot_user_t)
	471	fs_manage_cifs_symlinks(chroot_user_t)
	472	')
	473
8b6c8e05	474	tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
fbf13449	475	fs_manage_fusefs_dirs(chroot_user_t)
8b6c8e05	476	fs_manage_fusefs_files(chroot_user_t)
fbf13449	477	fs_manage_fusefs_symlinks(chroot_user_t)
8b6c8e05 MG	478	')
8b6c8e05 MG	479
919775fe MG	480	tunable_policy(`use_samba_home_dirs',`
	481	fs_read_cifs_files(chroot_user_t)
	482	fs_read_cifs_symlinks(chroot_user_t)
	483	')
	484
ed2ac112	485	userdom_home_manager(chroot_user_t)
8b6c8e05	486
919775fe	487	optional_policy(`
919775fe MG	488	ssh_rw_dgram_sockets(chroot_user_t)
919775fe MG	489	')